Mailing List Archive: Re: ANOTHER hole in NCSA httpd1.3R

Do we have answers to these questions yet? Do we want to make
a sweep through the code to try and get all the strcpy and sprintf's
knocked out?

Ay.

> From owner-www-security@ns2.rutgers.edu Wed Apr 12 13:58:52 1995
> Date: Tue, 11 Apr 1995 23:49:39 -0700
> From: Paul Phillips <paulp@cerf.net>
> Newsgroups: comp.infosystems.www.providers,comp.security.unix
> Subject: ANOTHER hole in NCSA httpd1.3R
> Organization: http://www.primus.com/staff/paulp/useless.html
> Cc: bugtraq@fc.net, www-security@ns1.rutgers.edu
> Sender: owner-www-security@ns2.Rutgers.EDU
> Content-Length: 468
>
> Looks like I posted too fast, I just found another hole in httpd.
>
> In http_access.c, function evalute_access:
>
> if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
> else strcpy(path,p);
>
> The second strcpy is copying a filename (again, potentially 8192 characters)
> into a local buffer (256 characters.)
>
> Some scary info:
>
> {nic} grep strcpy *.c | wc -l
> 123
> {nic} grep sprintf *.c |wc -l
> 51
>
> There are more holes here, folks.
>
> --
> Paul Phillips
> paulp@cerf.net
>
>